Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
Warren Parad <wparad@rhosys.ch> Fri, 26 February 2021 16:22 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95D243A0EF0 for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2021 08:22:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1VpxYb7rwOz for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2021 08:22:31 -0800 (PST)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72C633A0ED3 for <oauth@ietf.org>; Fri, 26 Feb 2021 08:22:31 -0800 (PST)
Received: by mail-il1-x131.google.com with SMTP id v8so4838729ilh.12 for <oauth@ietf.org>; Fri, 26 Feb 2021 08:22:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KKsmtjF6uzdq0aCiqTPvex2SMjNFMgJWrC6sZZ/sGJk=; b=CZ6eCt/R4z8DeESEx1P4NDs6KL+OJQ0UYOSCh7794AC2EfhPIWckrKRNRKvA5FSvq1 U9z7wI9l8DsaIsRTEJIeTEd/88ot1yhV9XJXg5ce5e5yw8X9ZJ68ofNV+CsKHfFhlF9S OoK8baImhJL6a5XKDs/Q173t/Rax8iFEDz+OnL6kb4HSBe6P7x1dMzxf0+Nq2iZ9qhNz 9kOw2Uj/jpGI8Z8qLgFYNmtIEJbUkNmcb5NFzSqu/1bpw9bbxScPtFRkZocbcKglF39P ceWyjgWGpgNxJxWwJicBT5YrGNts0Xva1r+BkH6ETOjL4GL4SLGUcsw5b25Cw+GugV67 nz6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KKsmtjF6uzdq0aCiqTPvex2SMjNFMgJWrC6sZZ/sGJk=; b=a8VdBTsslqmHaOhNvox5Yupn/pXtSmdUaRjS+7B8CkDjGEERaFG17bYWYOCAbEG05I vQL9llUrA/hxsFqxjpfoRVQGuhRG2MnR2+mbHxXxxYs4fgSY3JSPpBS+6OmwTSjRlJIr CzZkZPd7/HcXW9wXnD5aRaooSs3KjWdlNYUjMas4kV8AMGQNJY4oZwtP722gCIJkzsHd hfjS22kgHgG8eBCzbGBp3Sc41BhWKSTHJRAfrgDXKPJB5bU6mzVY6Rwzvp/twgZWgiHH 80mFznLtFFZNeJ8XGRX7UIJeifY+FEtP5F/mCZh/vWvX5HIzr2rO8lKvZUPINbV/qHnl 3Piw==
X-Gm-Message-State: AOAM5312/+a7xqUAXcoGmAbXo0Q9GI5CaDlWDrgKt2VD17G3KVup0BFZ l5GjPSv2k7+3W8wS6qloQFBbno5ZFWWq/U0cnv/u
X-Google-Smtp-Source: ABdhPJxXg6dWYtHOlDnyAFZ6z65hO8lPX+8ilhxemPwoERkc+iwhKssqm4ZRdfF0m9atovk4azCo1vHJCkTiKbaXmMk=
X-Received: by 2002:a92:c6ca:: with SMTP id v10mr3084720ilm.195.1614356550568; Fri, 26 Feb 2021 08:22:30 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com> <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com> <CAJot-L0PS_3LxEkC-jd1aqXDdYF+z8BajSs4Rhx3LgRPn6wkdQ@mail.gmail.com> <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> <CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com> <CAJot-L2KO2dOzZQJJeB1kbk6_KTQwUYUsoJOoRt=9maynS1jZg@mail.gmail.com> <121f52be-4747-45f3-ad75-79fa2f693d75@beta.fastmail.com> <E84B4446-5F74-402B-8071-A1164EF0B02C@mit.edu> <6b5d0e34-340f-4f93-83ef-817d4624ec7d@dogfood.fastmail.com> <CAPLh0AMfncjJ0iaZ5gmzrh1D0Z7WCOtG-+6GZkmzfQuAttsBtw@mail.gmail.com> <CAPLh0AMEnbak8=6boESQCgTd=Au4V9O=wCqGCz5qEU-d3y0g5g@mail.gmail.com> <6E2CD5EE-55D9-403A-835D-032ECA39CBFB@mit.edu>
In-Reply-To: <6E2CD5EE-55D9-403A-835D-032ECA39CBFB@mit.edu>
From: Warren Parad <wparad@rhosys.ch>
Date: Fri, 26 Feb 2021 17:22:19 +0100
Message-ID: <CAJot-L1x_AxjQAH7uJ+GsW1jcc93b8ijJ7uyiVRRDZtZf=NXCw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Seán Kelleher <sean@trustap.com>, Bron Gondwana <brong@fastmailteam.com>, Phillip Hallam-Baker <phill@hallambaker.com>, "oauth@ietf.org" <oauth@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bcdf7505bc3facf2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/glKhF_Mw3s6KWCR1phQFB43SZ2A>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 16:22:35 -0000
A) I don't think it is helpful to talk about what other WGs are doing, or how GNAP attempts to fix or not fix these problems. B) Sharing statements like this: > Right, it’s possible to patch OAuth to do this, but the whole > “registration equals trust” mindset is baked into OAuth at a really core > level. That’s one of the main reasons there’s been hesitance at deploying > dynamic registration Don't help everyone come to the same conclusion, Who is "we" here, it begs the question "is there a mindset baked into OAuth", I think to work effectively we need to be talking about how to best to tackle challenges everyone and anyone brings up and not fallback on arbitrary statements. It would be one thing to point to a document which outlines the exact issues with dynamic registration and then we could potentially have a valuable conversation about "are those reasons still relevant or do we need to revisit." Right now it seems there is "Someone in the past decided this was a bad idea, so we can't do it", rather than actually having the conversation about it. Just based on the conversation, it seems like the obvious right thing to do is provide dynamic registration in OAuth. Will client developers do the wrong thing, sure. Might it be challenging to support in a simple way, maybe. But having the addition to OAuth to solve the problem is better than nothing, and further it starts to change the mindset that dynamic registration is and should be provided when appropriate. Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Fri, Feb 26, 2021 at 5:11 PM Justin Richer <jricher@mit.edu> wrote: > Right, it’s possible to patch OAuth to do this, but the whole > “registration equals trust” mindset is baked into OAuth at a really core > level. That’s one of the main reasons there’s been hesitance at deploying > dynamic registration. It’s an extension that changes your trust model’s > assumptions, and does so in a way that is challenging for a lot of large > scale providers. > > That’s why I personally think it’s really important that we get away from > that registration model in GNAP, so we don’t repeat that same problem in > the same way. Some people will still deploy GNAP with static registration, > but this model becomes more exceptional than baseline. The philosophy of > what’s considered an extension vs. default is important. > > — Justin > > On Feb 25, 2021, at 3:41 AM, Seán Kelleher <sean@trustap.com> wrote: > > Yep, this is the big point - OAuth is designed to require the the third >> leg of trust that creates the NxM problem. > > > I believe the snippet of Justin's that you quoted actually shows you how > you can forgo the trust element using dynamic client registration. It still > allows a "server" to identify requests and impose security policies via the > client ID, but without requiring the client author to manually register the > client in advance of using it (e.g. in the case where the client author > doesn't even know what servers the client is going to be connecting to). > You still need the client ID, but anyone can get one whenever they need it. > > I'm also feeling a bit of confusion arising from a conflation of terms > between the regular client/server model and the terminology used in OAuth. > To be clear, in OAuth, the level of trust between the client and authZ > server only really depends on policy; as mentioned, dynamic client > registration can be used if you don't need any trust between the client and > AS. > > On Thu, 25 Feb 2021 at 08:22, Seán Kelleher <sean@trustap.com> wrote: > >> Just to clarify, I assume in this discourse that the "server" in this >> client and server relationship refers to an AS/RS pair in OAuth >> terminology? Based on this, one big sticking point for me on the >> applicability of NxM, or even 1xM, is that all of the "M" RSs need to >> publish the same interface for any meaningful implementation in the first >> place. >> >> It probably makes more sense with email clients, since as Bron said, >> there is the common standard of POP. If we assume that all the email >> services that we want to connect to publish the same POP interface, and >> would accept tokens in the same way, then the way the authZ is handled is >> indeed the point of divergence that needs to be resolved. >> >> However, we're talking about NxM in the general case here. I feel like >> using the likes of discovery and dynamic registration, etc. that's already >> supported by OAuth, the "N" part of this equation is surmountable. But each >> of the "M" servers also need to export the same interface, otherwise a >> client is going to have to write custom code to deal with talking to the >> service after the authZ step anyway, reintroducing the "problem" part of >> the NxM problem. >> >> As such, I would actually suggest constraining this discussion to just >> the POP NxM problem rather than NxM in general because, for me at least, >> the authZ part of the general case is the most "solved" part of the >> problem, and the outstanding work lies more in consolidating the "M" RS >> interfaces. >> >> On Wed, 24 Feb 2021 at 22:32, Bron Gondwana <brong@fastmailteam.com> >> wrote: >> >>> On Thu, Feb 25, 2021, at 02:18, Justin Richer wrote: >>> >>> I agree that the NxM problem is the purview of the whole IETF, but it’s >>> something that we’re particularly interested in over in GNAP. As the editor >>> of OAuth’s dynamic registration extension and the GNAP core protocol, I >>> hope I can add to this conversation. >>> >>> From a technical standpoint, OAuth’s dynamic client registration lets >>> arbitrary clients talk to an AS, but the trust isn’t there in practice. On >>> top of that I think this problem is exacerbated by a fundamental protocol >>> design element of OAuth: the client_id that’s required. That field means >>> there’s an assumption that a relationship was set up between the pieces of >>> software, implied to be trusted by admins at the AS. Sure you can get that >>> client_id under special circumstances, but there’s still a special weight >>> handed to that and the dynamic stuff feels like you’re giving up control as >>> an AS. In GNAP, the relationship is inverted, and it’s designed as >>> “dynamic-first”, with pre-registered clients being an optimization on top >>> of that. >>> >>> >>> Yep, this is the big point - OAuth is designed to require the the third >>> leg of trust that creates the NxM problem. >>> >>> >>> <image.png> >>> >>> If that dotted line between client and server requires a pre-existing >>> trust relationship rather than the trust being entirely mediated by the >>> user choosing to connect client A with server B, then you have the NxM >>> problem. This is the "you can only have your John Deere tractor serviced >>> by an approved John Deere service centre" problem. You can only use this >>> client with servers who have pre-approved it. Or fall back to the "cash of >>> the internet" - plain text passwords. >>> >>> Does this solve the NxM problem? No, because companies are still going >>> to decide that they only talk to keys or identifiers that they know ahead >>> of time. But the protocol puts the dynamic case forward as baseline and >>> fits in much better with the likes of JMAP than OAuth ever could: >>> >>> - {The Bat} creates a key pair. >>> - {User} enters their email address into {Bat}, {Bat} does discovery >>> (maybe that’s a JMAP thing? Webfinger?) and finds the JMAP server and the >>> GNAP endpoint for authentication as an option. >>> - {Bat} talks to the GNAP AS at {ISP} and presents the key it just made >>> up. {ISP} has never seen this key, but knows how to talk GNAP and get the >>> user to authorize {Bat} to access email. >>> - {User} does this using GNAP and gets back an access token that’s tied >>> to the key {Bat} made back at the beginning. That token is tied (at the >>> {ISP}) to the user’s account. >>> >>> Yes, you can do all of this today with OAuth (and people have done so), >>> but OAuth’s basic model of “go do discovery and registration first and THEN >>> talk to me” is a trust impediment more than it is a technical impediment. >>> The “negotiation” part of the GNAP name comes from the philosophy of “start >>> talking first and figure out what you need as you go”. Instead of jumping >>> through hoops to get something you can trust, you just start in and then >>> decide how much you trust it. A corporate rollout could use its own key >>> distribution mechanism and static registration to limit which client >>> instances talk back to the company server, regardless of which accounts >>> would authorize access on top of that. An internet-facing service is going >>> to be more likely to take a TLS approach, of “I’ll talk to you in a secure >>> fashion without caring who you are right now”. >>> >>> We really are trying to make GNAP a consistent protocol at its core and >>> learn from problems with OAuth in the wild, all while letting GNAP address >>> a wider variety of use cases. I agree that GNAP could be clearer about >>> specific use cases, and we’re working on the spec still so any help here is >>> appreciated. >>> >>> >>> Excellent. This is precisely what I've been waiting for for these very >>> many years as a viable replacement for storing a password locally on disk. >>> Just having the server able to distinguish between different client >>> instances for the same user is a big start, because you can de-authorise >>> one without having to lock out every connection - even if the user is still >>> entering their password during the setup phase each time. >>> >>> This is what Fastmail already do with our own app, creating a long-lived >>> access token and storing that on the device rather than storing the >>> password itself - and you can log out any one client from your security >>> settings page. What's missing is a standard way to do that with any IMAP >>> client. The initial JMAP authentication proposal was a very simple case of >>> pretty much this, build into to the protocol so everyone would do it. >>> >>> Making it easy to connect up arbitrary clients with per-client tokens >>> the default, and easy rather than almost impossible to do in practice is >>> where the big difference comes in. >>> >>> Bron. >>> >>> -- >>> Bron Gondwana, CEO, Fastmail Pty Ltd >>> brong@fastmailteam.com >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- [OAUTH-WG] JMAP's experience with proposing an Au… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Roman Danyliw
- Re: [OAUTH-WG] JMAP's experience with proposing a… Brian Campbell
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Kathleen Moriarty
- Re: [OAUTH-WG] JMAP's experience with proposing a… Phil Hunt
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JMAP's experience with proposing a… Evert Pot
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Eric Rescorla
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Phillip Hallam-Baker
- [OAUTH-WG] Building Real Internet Platforms Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Larry Masinter
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Jim Manico
- [OAUTH-WG] We appear to still be litigating OAuth… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Carsten Bormann
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Neil Madden
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Michael Richardson
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hunt
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… ST GERMAIN
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- [OAUTH-WG] How to tell people... Was: We appear t… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Christian Huitema
- Re: [OAUTH-WG] We appear to still be litigating O… David Waite
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jeff Craig
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Vittorio Bertola